Types for BioAmbients 



Sara Capecchi Angelo Troina 

Dipartimento di Informatica, Universita di Torino 
(capecchi , troina)@di . unito . it 

The BioAmbients calculus is a process algebra suitable for representing compartmentalization, molec- 
ular localization and movements between compartments. In this paper we enrich this calculus with a 
static type system classifying each ambient with group types specifying the kind of compartments in 
which the ambient can stay. The type system ensures that, in a well-typed process, ambients cannot 
be nested in a way that violates the type hierarchy. Exploiting the information given by the group 
types, we also extend the operational semantics of BioAmbients with rules signalling errors that may 
derive from undesired ambients' moves (i.e. merging incompatible tissues). Thus, the signal of errors 
can help the modeller to detect and locate unwanted situations that may arise in a biological system, 
and give practical hints on how to avoid the undesired behaviour. 

1 Introduction 

BioAmbients Il23l is a variant of the Ambient Calculus ifTTTl . in which compartments are described as 
a hierarchy of boundary ambients. This hierarchy can be modified by suitable operations that have 
an immediate biological interpretation; for example, the interactions between compounds that reside 
in the cytosol and in the nucleus of a cell could be modelled via parent-child communications. Thus, 
BioAmbients is quite suitable for the representation of various aspects of molecular localization and 
compartmentalization, such as the movement of molecules between compartments, the dynamic rear- 
rangement that occurs between cellular compartments, and the interaction between the molecules in a 
compartmentalized context. 

A stochastic semantics for BioAmbients is given in fE], and an abstract machine for this semantics is 
developed in |20|. In 1 17] BioAmbients is extended with an operator modelling chain-like biomolecular 
structures and applied within a DNA transcription example. In 1.21] a technique for pathway analysis 
is defined in terms of static control flow analysis. The authors then apply their technique to model and 
investigate an endocytic pathway that facilitates the process of receptor mediated endocytosis. 

In this paper we extend the BioAmbients calculus with a static type system that classifies each ambi- 
ent with a group type G specifying the kind of compartments in which the ambient can stay [10]. In other 
words, a group type G describes the properties of all the ambients and processes of that group. Group 
types are defined as pairs {S,C), where S and C are sets of group types. Intuitively, given G ={S,C), 
S denotes the set of ambient groups where ambients of type G can stay, while C is the set of ambient 
groups that can be crossed by ambients of type G. On the one hand, the set S can be used to list all the 
elements that are allowed within a compartment (complementary, all the elements which are not allowed, 
i.e. repelled). On the other hand, the set C lists all the elements that can cross an ambient, thus modelling 
permeability properties of a compartment. 

Starting from group types as bases, we define a type system ensuring that, in a well-typed process, 
ambients cannot be nested in a way that violates the group hierarchy. Then, we extend the operational 
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semantics of BioAmbients, exploiting the information given by the group types, with rules rising warn- 
ings and signalling errors that may derive from undesired compartment interactions. For example, while 
correctness of the enter/accept capabilities (that are used to move a compartment to the inside of another 
compartment) can be checked statically, the merge capability (which merges two compartments into one) 
and the exit/expel capabilities (which are used to move a compartment from the inside to the outside of 
another compartment) could cause the movement of an ambient of type G within an ambient of type G' 
which does not accept it. In these cases, for example when incompatible tissues come in contact, an error 
signal is raised dynamically and the execution of the system is blocked. The modeller can exploit these 
signals as helpful debugging information in order to detect and locate the unwanted situations that may 
arise in a biological system. Intuitively, they give practical hints on how to avoid the undesired behaviour. 

In the last few years there has been a growing interest on the use of type disciplines to enforce 
biological properties. In [3] a type system has been defined to ensure the wellformedness of links between 
protein sites within the Linked Calculus of Looping Sequences (see H). In |[T6l three type systems are 
defined for the Biochemical Abstract Machine, BIOCHAM (see fT]). The first one is used to infer 
the functions of proteins in a reaction model, the second one to infer activation and inhibition effects 
of proteins, and the last one to infer the topology of compartments. In |[T5l we have defined a type 
system for the Calculus of Looping Sequences (see lH) to guarantee the soundness of reduction rules 
with respect to the requirement of certain elements, and the repellency of others. Finally, in lfT4ll we 
have proposed a type system for the Stochastic Calculus of Looping sequences (see [5]) that allows for 
a quantitative analysis and models how the presence of catalysers (or inibitors) can modify the speed of 
reactions. 

1.1 Summary 

The remainder of the paper is organised as follows. In Section |2] we recall the original BioAmbients' 
syntax. In Section[3]we define our type system and in Section|4]we give our typed operational semantics. 
In Section [5] me formulate two motivating examples, namely we use our type system to analyse blood 
transfusions (rising errors in the case incompatible blood types get mixed) and spore protection against 
bacteriophage viruses. Finally, in Section[6]we draw our conclusions. 

2 BioAmbients: Syntax 

In this section we recall the BioAmbients calculus. Ambients represent bounded mobile entities that 
can be nested forming hierarchies. They provide an intuitive mean to model both membrane-bound 
compartments, where the components of a compartment are isolated from the external environment, and 
molecular compartments i.e. multi molecular complexes in which molecules can be partially isolated 
from the environment. Capabilities are used to model movements changing ambients hierarchies: they 
can be employed to model membranes fusion, molecules movement, complexes formation. Finally, 
communications model interactions between components within or across ambients boundaries. 

The syntax is defined in Figure [T] and is the same as that of [23]. The only difference is that in our 
syntax ambients names are not optional. We give a name to each ambient in order to associate its type 
to it. Ambient names are ranged over hy a,a\,b . . ., channel names are ranged over by c, ci , . . ., capability 
names are ranged over by . . .. We use n,m to range over unspecified names and P,Q, R, T to range 
over processes. 
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Capabilities syncronise using names (h) and allow an ambient (1) to enter in a sibling ambient ac- 
cepting it (enter h /accept h), (2) to leave the parent ambient ( exit h /expel h), (3) to merge with a 
sibling forming a unique ambient (merge© h /merge- h). Communications on channels ($c!{/M),$c?{m)) 
are prefixed by directions ($) denoting different kinds of communications: local communications (loc) 
within the same ambient, sibling communications (sts) between sibling ambients, parent/child (ptc,ctp) 
between nested ambients. Concerning processes syntax: inaction is a special case of summation (/ = 0) 
and denotes the process doing nothing; restriction (y n)P restricts the scope of the name n to P; P \ Q 
denotes the parallel composition of P and Q; \P stands for process replication; a\[P]\ describes a process 
P confined in an ambient named a; communication and capability choices iY,iei^i-Pi, Yjiei^i-Pi) gener- 
alise communication and capability prefixes respectively ( n.P, S.P) and represent standard choices. 

3 The Type System 

We classify ambients names with group types as in |[T0l[T2l . Intuitively, the type G of an ambient denotes 
the set of ambients where that particular ambient can stay: it describes, in terms of other group types 
(possibly including G), the properties of all the ambients and processes of that group. 

Group types consist of two components and are of the form {S,C), where S and C are sets of group 
types. The intuitive meanings of the types' sets are the following: 

• iS is the set of ambient groups where the ambients of group G can stay; 

• C is the set of ambient groups that G-ambients can cross, i.e., those that they may be driven into or 
out of, respectively, by enter and exit capabilities. 

Clearly for all G C{G)Q S{G). If G= {S,C) is a group type, we write S{G) and C(G) respectively to 
denote the components S and C of G. We call Guniv the type of universal environments where each 
ambient can stay in. Types syntax is given in Figure |2] 
Besides group types we have: 

• Capability types: {G\,G2Y is the type associated to a name h through which ambients of types Gi 
and G2 can perform the movements described by £. 

• Channel types y: the types of the channels arguments which can be groups (G) , capabilities {s) or 
channels (y). 

Notation 1. Let M be a capability prefix and 5=(Gi,G2)'-^''*^^^ be a capability type, we say M e s if 
either M = Mi or M = M2. 

We now define well-formedness for capability types. 

Definition 1 (i'- Well-formedness). A capability type {G\,G2Y is well formed iff none of the following 
holds: 

1. (= enter/accept and 3G; e G2, Gj € Gi : G; ^ C{Gj) 

2. {= exit/expel and 3G; g G2, Gj e Gi : G; ^ C(Gy) 

Intuitively, a capability type (Gi , G2)^ describing the entrance(exit) of an ambient of type GjeGi into(out 
of) an ambient of type G, e G2 is not correct if Gj cannot (cross)stay in G,-. 
We now define the environment F mapping names to types: 
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Actions 


$d{m} 


Output 


$c?{m} 


Input 




Directions 


loc 


Intra- Ambient 


sts 


Inter-siblings 


ptc 


Parent to child 


ctp 


Child to parent 




Capabilities Prefixes 


enter 


Entry 


accept 


Accept 


exit 


Exit 


expel 


Expel 


mergee 


Merge with 


merge- 


Merge into 


Mh 


Capabilities 




Processes 





Empty process 


(y n)P 


Restriction 


P\Q 


Composition 


IP 


Replication 


am 


Ambient 


n.P 


Communication prefix 


S.P 


CapabiUty prefix 


lli€l"i-Pi 


Communication choice 


lli^iMi.Pi 


Capability choice 



Figure 1: BioAmbients: Syntax. 
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Gi ...G„ 

t ■■= G_\s\_y 

s :■- {GUG2Y 

I ::= enter/accept | exit/expel 

y ::- ch{t] 



Group types 
Channels arguments 
Capability types 
I merge©/merge- Labels 

Channels 



Figure 2: Type syntax. 

we assume that we can write T, m: t only if m does not occur in F, i.e. m ^ DomiT) {Dom{T) denotes the 
domain of F, i.e., the set of names occurring in F). An environment F is well formed if for each name the 
associated type is well formed. 

In the following we define compatibility between a group type and an argument type. 

Definition 2 {s-G Compatibility). Given a capability type s-{Gy,G2Y and a group type G we define 
their compatibility as follows: 

s X G iff s is well formed and at least one between G eGi and G € G2 holds. 

We can check the safety of BioAmbients processes using the rules in Figure[3] Let F be type environment 
from which we derive the type of names (rule [NameJ); typing rules for processes have the shape : 

Fl-P:G>A 

where P is a process, G is a set of group types representing the types of the ambients in P and A is a set 
of capability types collecting the capabilities in P. 

[InactJ derives any group type G for the empty process (indeed the empty process can stay in every 
type of ambient); [ParJ gives to parallel composition of processes P and Q the union of the sets of groups 
Gi and G2 obtained by typing P and Q; rule [AmbJ checks whether a process P can be safely nested in 
an ambient a of type G: if P is typed with a set of types G we have to ensure that every type G*: in G 
can stay in an ambient of type G; moreover, all capability types collected in A while typing P must be 
compatible with G; since the scope of the capabilities is the enclosing ambient, once the capabilities in 
A have been checked to be admissible, A is emptied; rule [CapJ verifies the correspondence between the 
type of a name used for capability synchronization and the capability prefix used with it and then adds 
the type to A; rule [Choice] gives to the choice between P and Q the union of the sets of groups Gi and 
G2 derived by typing P and Q. 

We now show an example motivating the presence of the C set of ambient groups that can be crossed. 
Hydrophilic molecules are typically charge-polarized and capable of hydrogen bonding, thus enabling it 
to dissolve more quickly in water than in oil. Hydrophobic molecules instead tend to be non-polar and 
thus prefer other neutral molecules and non-polar solvents. As a consequence, hydrophobic molecules 
in water tend to cluster together forming micelles. Hydrophobic molecules can cross cell membranes in 
a natural (and slow) way, even if there is no particular transporter on the membrane. On the contrary, 
hydrophilic molecules can cross membranes only with dedicated transporters (conveyers). We can model 
these crossing properties with our type system. Namely, we can represent cells with or without conveyers 
as ambients of type Gcconv and Gc respectively; molecules can be of type GupM (hydrophilic) and Gnpho 
(hydrophobic). Finally, transporters have type Gconv Molecules of types GhpM and Gupho can stay in 
both Gcconv and Gc cells but only Gupho molecules can cross Gc cells. The sets S and C associated to 
the types are given in Figured 
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ri-O:G>0LlNACTj r,n : ? hn : ? [NameJ 

rhP:G>A rhP:Gi>Ai r^Q:G2>A2 T\-P:G>A 

— — LRestrJ = LParJ = — LReplJ 



r\-(vc)P:G>A r\- P\Q:Gi,G2>AiUA2 YhlP:G>A 

r\-a:G r\-P:G>A GeSiGk), "^GueG sxG\fseA 



ri-a[[PI]:G>0 



[AmbJ 



The -.chit] T,n:t\- P:G>A T \- c : ch{t} T\-P:G>A T\-m:t 

— IInputJ — I Out! 

ri-$c?{n).P:G>A T \- $cl{m}.P : G>A 

T\-h:s Mes r\-P:G>A ri-P:Gi>Ai r\-Q:G2>A2 

— LCapJ [ChoiceJ 

T\- Mh.P:G>Au[s} T \- P + Q : GuG2> AiU A2 



Figure 3: Typing rules. 

Group types G <S(G) C(G) 

Gc Guniv Guniv 

GcConv Guniv Guniv 

GcConv G 

Gnphi GcConv, Gc GcConv 

Gnpho GcConv^ Gc GcConv^ Gc 



Figure 4: Types for molecules and cells. 



Let 



r = cellC : Gcconv, cell : Gc, conv : Ga„v, h' : {GHphi,Gcr^l^''^^\ h" : {GHpho,Gcr'^'l^^^^^\ 
moh : Guphi, moh : Gupho, h : {{GHphi,GHpho],Gconvr'^"^'^^^\ h2 : (Gconv,Gcconvr^'^''^^\ 

h : iGconv,GcConvr'^''^'^^^\ ^4 : aGHphi,GHpho},Gconvr^'^''^^' 

A cell with conveyors can be modeled as an ambient of type Gcconv with nested conveyors and molecules: 

cellC\[lconv\[P]] \ mo/i [[enter h.exlt h4]] \ mol2\Lex\l h' + enter h.exW h^l^ | expel h'l\ 

where P = accept /z. enter /zi.exit /22. enter h^.expel h^. Thus we model the conveyor as first accepting 
molecules through h then exiting the current cell through h2, entering a new cell through and finally 
releasing it through h^. Molecules of type Gnpho (moh) can enter inside the conveyor through h and 
finally be expelled by it, after the transport, through h4; instead molecules of type Gnpho (moh) can also 
pass the membrane cell without the use of a conveyor (through h'). 

4 Typed Operational semantics 



In this section we extend the semantics of BioAmbients by adding rules which rise errors as a conse- 
quence of undesired behaviour. The structural congruence of BioAmbients remains unchanged, we recall 
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P\Q=Q\P {P\Q)\ R=P \{Q\R) 

P I 0=P (y n)0 =0 

(v n){v m)P =(v m)(y n)P (y n)P | 2 =/' | (y n)^ if «^ fn(P) 

(y ?i)a[rPI] =a[r(y ?i)PI] %cl{m\.P=%cl{n].P[m ^ n] if fn(P) 

(y m)P =(y ?i)P[m ^ «] if «^ fn(P) !0 =0 
\P =P I \P 

Figure 5: Structural congruence. 



it in Figure |5] Rules for ambients movements and communications model reactions which may happen 
when two complementary prefixes on the same name n occur in parallel. Safety of communications and 
enter/accept capabilities can be statically checked by typing rules: enter/accept capabilities are en- 
sured to be well formed, i.e. they cannot move an ambient a\[. . .J of type G in an ambient b\[. . .J of type 
G' if G' i S(G) (see Definiton[T]). On the other hand, a static control of exit/expel and merge®/merge- 
capabilities would require too many constraints in the definition of group types: we should check the 
relation between the group types involved in all possible exit/expel and merge©/merge- interactions; 
as a consequence the type system would be very restrictive discarding also safe reductions just because 
of the presence of potentially unsafe capability prefixes in a choice. For this reason we check exit/expel 
and merge®/merge- reductions at run-time, signalling errors when they arise. The reduction rules are 
in Figure |6] 

Rule [RedInJ reduces the synchronization (thorough a name h) of enter /j/accept h capability to 
the entrance of an ambient ad...]] in an ambient ^[I. ..]]. As explained above, if this rule is applied to 
a well typed process after the reduction the nesting of ambients is safe. Rule [RedOutJ reduces the 
synchronization of exit h/expe\ h prefixes to the exit of an ambient b\[. . .J out of an ambient . .J. We 
put a warning W{Gb) in parallel with the new sibling ambients, since we do not know in which ambient 
b^. . .J will arrive once exited from £?[[. . .J: e.g. . .J could be nested in an ambient where it cannot stay. 
Two rules model the reduction of warned ambients inside another ambient: [Red Amb WarnOKJ reduces 
the warning parallel to a safe one if the exit did not produced an unsafe nesting; on the contrary, in case 
of unsafe nesting [Red Amb Warning] generates an error; finally rule [Red AmbJ models reduction inside 
an ambient when there are no warnings. 

Rule [MergeJ reduces the synchronization of merge© /j/merge- h prefixes to the fusion of two 
sibling ambients into a single one: the merge- prefix "brings" all the processes in parallel with the 
prefixed one into the sibling ambient. We cannot check statically which processes will be in parallel 
with the prefixed one when the reduction rule is applied: we perform this check at runtime raising an 
error in case of unsafe nesting due to the merging of two sibling ambients (rule [Red Merge Warning]). 
Concerning communications, rules are unchanged w.r.t. |[23l . they model names substitutions due to 
communications between processes located in same ambient ([Red LocalJ), in parent-child ambients 
([Red Parent OutputJ, [Red Parent InputJ) and in sibling ambients [Red Sibling]. 

Note that in the rules of our operational semantics there are no checks on the sets C since capability 
types should be well formed (thus satisfying the conditions for C sets). 

Let Error G,[IGyI] range over expelError G,[IGj]] and mergeError G,[IGy]]. A well typed process either 
reduces to another well typed process or generates an error. 

Theorem 1. // F h P : G>Athen 

• either P ^ P' or P ^ P' \ W{G) and 3 F', g'. A' such that Y h P' .G > M 

• or3 Gi, Gj such that P — > Error G/HGyl 
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aUT + enter h.P) | Q]\ | bUT' + accept h.R)\S]\^b\[a\[P\Q]\\R\S]\ 

alfcECr + exit h.P) I ei I (r + expel h.R) \S^^blP\Q-\[\a^R\S^\ W{Gi,) 
P^R\W{Gi) Tha-.Ga Ga^S{Gi) 



■R\W{Gi) T^a:Ga GaiS{Gi) 



am] 



expel Error GqHG,]] 
P^Q 



T^a-.Ga T\-R:Gr ThS .Gs 'iGi&(GR,Gs), Ga^S{Gi) 
aW + mergee h.P)\Q^\ bW' + merge- h.R)\SJ^ a^P\Q\R\S^ 

Tha-.Ga T\-R:Gr r\-S:Gs 3GieiGR,Gs), Ga(SiGi) 
a[I(7' + mergee | 211 | /j||(r' + merge- /;./?) | 5]] — » mergeError Ga[[Gi]\ 

(T + loc cl{m].P) I (T' + loc c\{n].Q) -^P[m^n]\Q 
(T + ptc c\[n}.P) I aUT' + ctp c?{ot}.0]] | R ■ 
aliT + ctp c\{n}.P) I /?]] I (r + ptc c?{n}.0 - 
a[[(r + sts cl{n}.P)\R]l | fett(r' + sts c?{m).0 | 5]] ■ 
P^Q P^Q 



>P\a\LQ[m<^n]\RJ[ 
■ a\[R I PI I Q[m ^ n] 



[Red InJ 
[Red OutJ 

[Red Amb WarnOKJ 
[Red Amb WarnwgJ 
[Red Amb J 
[Red MergeJ 

[Red Merge ErrorJ 

[Red LocalJ 

[Red Parent OutputJ 

[Red R\rent InputJ 



alR I PJl I b\LQ[m <-n]\S]\ [Red Sibling] 



{vn)P^{vn)Q 



[Red ResJ 



P\R 



Q\R 



[Red ParJ 



P = P',P^Q,Q = Q' 



P'^Q' 



[Red =J 



Figure 6: Operational Semantics 



Proof. By induction on the definition of—>. 

Note that our semantics does not reduce the warnings W(G) at top level. While they do not affect 
the system evolution, they could be useful in a compositional setting. In particular, if the entire process 
should be nested, at some point, into another ambient, the warnings keep the conditions on the admissible 
ambients (without the need to recompute the whole type of the system). 



5 Motivating Examples 

In this section we provide a couple of simple but motivating examples. In the following we will use a 
instead of a[[0]] and we assume S(G)-C(G) whenever C is not explicitly represented. 
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Group types 
of basic elements 



S(G) 



S{Ga) 

S{Gh) 

S(Gr) 
SiGa) 

SiGj) 



Ga-, Gab-, Ga+, Gab 
Gb-, Gab-, Gb+, Gab 




'-'A+> '-'A-> '~JU+, ^U- 

Ga-,Gb-, Gab-, Gq- 



Figure 7: Types for blood groups. 



5.1 Blood transfusion 

This example has been inspired by Q. A blood type is a classification of blood based on the presence 
or absence of inherited antigenic substances on the surface of red blood cells: these antigens are the A 
antigen and the B antigen. Blood type A contains only A antigens, blood type B contains only B antigens, 
blood type AB contains both and the blood type O contains none of them. 

The immune system will produce antibodies that can specifically bind to a blood group antigen that 
is not recognized as self: individuals of blood type A have Anti-B antibodies, individuals of blood type 
B have Anti-A antibodies, individuals of blood type O have both Anti-A and Anti-B antibodies, and 
individuals of blood type AB have none of them. These antibodies can bind to the antigens on the 
surface of the transfused red blood cells, often leading to the destruction of the cell: for this reason, it is 
vital that compatible blood is selected for transfusions. 

Another antigen that refines the classification of blood types is the RhD antigen: if this antigen is 
present, the blood type is called positive, else it is called negative. Unlike the ABO blood classification, 
the RhD antigen is immunogenic, meaning that a person who is RhD negative is very likely to produce 
Anti-RhD antibodies when exposed to the RhD antigen, but it is also common for RhD-negative indi- 
viduals not to have Anti-RhD antibodies. We model blood transfusion as a system consisting of a set of 
closed tissues. Tissues contain blood cells and antibodies according to the classification described above, 
then they can join each other performing a transfusion of different blood types. We model a red blood 
cell as an ambient whose type represents the blood type; thus, the groups representing blood types are: 
Ga+, Ga-, Gb+, Gb-, Gab+, Gab-, Go+, Gq— We represent A,B, RhD antigen and Anti-A, Anti-B and 
Anti-RhD antibodies as ambients of type Ga, Gb, Gr, Ga, G-^, G7 respectively. The sets S{G) associated 
to the different blood types are given in Figure |7] Finally, we model a tissue (which contains the red 
cells) as an ambient of type G, 6 {Ga+,Ga-,Gb+,Gb-,Gab+,Gab-,Go+,Go-]- 

We model blood transfusion as the reduction between two tissues having complementary merge 
capabilities (merge- for the donor, merge® for the receiver). For instance let us consider a tissue 
t\ represented by an ambient of type Ga+ and two potential donors t2 and tj, of types Gb+ and Go+ 
respectively: 

P^fi[I!(merge©/ji-i-merge©/z2-i-...merge©/i„) |ai \ bi | nJ U2 Emerge- /ii \ bi | r2l] U3 Emerge- /j2 I raJ 
P is well typed with 
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Figure 8: A bacterium (a) could be represented as a membrane containing the bacterium's DNA. A 
resistent (coated) spore (b) is represented as a bacterium surrounded by its coat. A bacteriophage (c) 
is depicted with the outer capsid, containing the genetic material, and the hypodermic syringe, used to 
inject its genetic material into the bacteria cells (d). They cannot inject coated cells (e). 

Thus, the tissue ti can potentially receive blood from many donors (merge®/ji + merge©/j2 + - • - merge©/j„), 
and, because for example of some human error, may also receive blood which is not compatible to its 
own. Let us consider two possible reductions. The first one: 

fi[I!(merge®/ji+merge®/j2 + ...merge®/z„)|ai \bi InJ Uilmerge-Zzi \bi \r2j\ — >mergeError Ga+IG;,]] 

results in an error because of a wrong transfusion causing the presence of an antigen of type Gh in a 
tissue of type Ga+- The second one: 

?i[I!(merge®/ji +merge®/j2 + ...merge®/i„) | ai | Zji | nJ | fsdmerge- /i2 I 
[I!(merge®/ji + merge®/j2 + . . . merge®/?,,) | ai | Z^i | n | rsJ 

models a transfusion between compatible blood types, namely A+ and 0+. 
5.2 Bacteriophage viruses 

In this section we use our system to model the interaction between bacteria and bacteriophage viruses 
(see Figure [8]l. 

We assume that a bacterium consists of a cellular membrane containing its DNA. The sporulation 
mechanism allows producing inactive and very resistant bacteria forms, called spores which are sur- 
rounded by a membrane (coat) protecting them from virus attacks. A spore can germinate and then pro- 
duce a new bacterium. A bacterium can safely stay in ambients containing viruses if it is protected by its 
coat. The types involved in this model are: GEnvOk, GEnvVirus are the types of environments respectively 
virus-free and virus-friendly; Gsact^Gcoat are the types of the bacteria and the protecting membrane. Gyir 
is the type of viruses. The corresponding (relevant) S groups are shown in Figure |9l 
Now let us consider a bacteria b2 surrounded by a coat bi (we omit the description of the DNA inside 
the bacterium): 

P = /jiP2lexit h I enter /12II | !(expel h + enter hi -1- enter h2)]\ 

P is well typed with: 

r — h ■ rr' r \exit/expel u • tn n \enter/accept u ■ tn n \enter/accept 
1 - « . (SrBact,^Coat) ^ , ■ (^JCoat,^ EnvOK) , m ■ K^Coat,^ EnVirus) 

b\ : Gcoat, b2 : GBact, «1 : GEnvVirus'^2 '■ GEnvOk 
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Group types <S(G) 
of basic elements 

GBact GsnvOk 
Gcoat GsnvOk^ GsnvVirus 

Gvir GEnvVirus 

Figure 9: Bacteria- Viruses Example: Types 

We represent the chance of the bacterium to get rid of the coat as an exit/expel capability through the 
name h which allows the bacterium to germinate (exiting from its protecting membrane). The coat 
(containing the bacterium) can move in every environment, while the bacterium can only enter GsnvOk 
environments; this is modeled by the use of suitable enter/accept capabilities. We now put the two 
environments ai (allowing viruses) and a2 (virus-free) in parallel with the bacterium bi. There are three 
possible behaviour (in the following we put labels on transitions for the sake of readabiUty): 

1. The bacterium gets rid of the coat and then can enter only in 02: 

^iP2lIexit ^ I enter ^2]] I !(expel /i-i- enter /ii -1- enteral)]] | aiJIaccept ^ij | ail ! accept ^2]] 

exit/expel(/i) 
— > 

feill!(expel ft-i- enter hi -1- enter ^1)]] | Z72[Ienter h2]\ \ W(ai[[!accept ^ij) | a2[[!accept /i2]] 

enter/accept(/!2) 

Zji[I!(expel /z -I- enter /zi + enter /zi)]] | aillaccept /zi]] lazPzIII I !accept/22]] 

2. The coat can move in the ambient ai and then expel the bacterium in this hostile environment (thus 
generating an error): 

^iPilIexit h I enter ^2]] I ! (expel ft -1- enter fti -1- enter fti)]] | aiJIaccept ftiJ | a2[[!accept ^2]] 

enter/ accept(fti) 
— > 

«iPip2[[exit h I enter ^2]] I !(expel ft -1- enter fti enter ft2)I| | laccept ftiJ | a2ll!accept ft2l] 

exit/expel(/!) 

alPittKexpel ft -1- enter hi -1- enter ft2)I] | VK(Z?2[[exit ft | enter ft2ll) | laccept ftiJ | a2[[!accept ft2ll 

— > 

expelError GEnvVirus\LGBactH 

3. The coat can move in the ambient 02 and then expel the bacterium: 

^ip2llexit ft I enter ft2l] | !(expel ft -1- enter fti -center fti)]] | ai [[laccept ftiJ | a2[I!accept ft2]] 

enter/accept(/!2) 

«2[[^i[[^2[[exit ft I enter ft2ll | !(expel ft -1- enter fti -1- enter ft2)I] | laccept ft2lj | ai [[laccept ftiU 

exit/expel(ft) 

02(1^1 IKexpel ft-i-enter fti -1- enter ft2)]] | VK(Z72[Iexit ft | enter ft2]]) | laccept ft2]] | ai [laccept ftiH 

— > 

bi\[\(expe\ ft -I- enter fti -1- enter fti)]] | ai [[laccept ftiJ | a2[[^?2 [[enter ft2]] | laccept ft2ll 
6 Conclusions 



The most common approach of biologists to describe biological systems is based on the use of determin- 
istic mathematical means (Uke, e.g., ODE), and makes it possible to abstractly reason on the behaviour of 
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biological systems and to perform a quantitative in silico investigation. This kind of modelling, however, 
becomes more and more difficult, both in the specification phase and in the analysis processes, when the 
complexity of the biological systems taken into consideration increases. This has probably been one of 
the main motivations for the application of Computer Science formalisms to the description of biological 
systems |[24l . Other motivations can also be found in the fact that the use of formal methods from Com- 
puter Science permits the application of analysis techniques that are practically unknown to biologists, 
such as, for example, static analysis and model checking. 

Different formalisms have either been applied to (or have been inspired from) biological systems. 
The most notable are automata-based models El [HI, rewrite systems lll3llT9l . and process calculi 1241 
|25l|23l|9ll22l. Automata-based models have the advantage of allowing the direct use of many verification 
tools, such as, for example, model checkers. On the other side, models based on rewrite systems describe 
biological systems with a notation that can be easily understood by biologists. However, automata-like 
models and rewrite systems are not compositional. The possibility to study in a componentwise way the 
behaviour of a system is, in general, naturally ensured by process calculi, included those commonly used 
to describe biological systems. 

In this paper we have laid the foundations for a type system for the BioAmbients calculus suitable 
to guarantee compatible compartments nesting (due to some intrinsical biological properties). In this 
framework, the correctness of the enter/accept capabilities can be checked statically, while the merge 
capability and the exit/expel capabilities could cause the movement of an ambient of type G within an 
ambient of type G' and dynamically rise an error. We used our type discipline to model how incompatible 
blood transfusion could cause the system to rise an error, or to represent the movement of bacteria spore 
into friendly environments where they can germinate and restart their activity. 
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